Cato Networks

Cato Networks provides an enterprise cloud service offering several integrated networking and security tools. These can be used to connect “all branch offices, mobile users, physical and cloud data centers to provide secure WAN and internet connectivity everywhere.”

To set up Cato Networks:

Read the requirements and complete any prerequisite steps.
Create an API key and obtain your Account ID from Cato Networks.
Set up the Cato Networks event source in SIEM (InsightIDR).
Verify the configuration works.

You can also:

Review sample logs.

Requirements

Before you start the configuration:

Ensure you have access to a Cato Networks account with Editors access.
Determine the region identifier for the relevant Cato API based on the following table. You will need to provide this region when configuring the event source in SIEM (InsightIDR). Read Cato’s documentation for more information on API Endpoint and Schema .

Region	Cato API URL
EU	`https://api.catonetworks.com/api/v1/graphql2`
US	`https://api.us1.catonetworks.com/api/v1/graphql2`
India	`https://api.in1.catonetworks.com/api/v1/graphql2`

Create an API key and Obtain your Account ID from Cato Networks

Log in to your Cato Networks Editors Account.
Record the Account ID that appears in the Cato Networks URL to a temporary text file. If you have multiple account IDs you wish to monitor, repeat this step for each. For example, if your Account ID is “1234” then the URL should look like: https://rapid7.catonetworks.com/#!/1234/topology
Open the Navigation Menu and click Administration > API Management.
Enter the Name of the key and click Apply. If the API key has been successfully added a window will appear displaying the new API key.
Click the Copy Icon to copy your API key and ensure you Save it to a secure location. Once you close the window you can no longer access the value of the API key.
Click Ok to close the API window.
On the API Management page click the Event Feed Enabled toggle to enable your account to send events to the Cato API servers.

Configure SIEM (InsightIDR) to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).

To configure the new event source in SIEM (InsightIDR):

From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
Do one of the following:
- Search for Cato Networks in the event sources search bar.
- In the Product Type filter, select Firewall.
Select the Cato Networks event source tile.
Name your event source. If you do not, SIEM (InsightIDR) will apply the default event source name “Cato Networks”.
Choose your collector and Cato Networks from the event source drop-down.
Enter the Account ID that you obtained from your Cato Networks Profile URL. If you wish to enter multiple Account IDs you must separate them using a comma.
Select your credentials, or create a new credential . If you’re creating a new credential, enter the API key you created in Cato Networks.
In the Region dropdown, select the relevant region identifier you determined in the requirements.
Choose the timezone that matches the location of your event source logs.
Optionally choose to send unparsed logs.
Select an attribution source.
Click Save.

Verify the configuration

Complete the following steps to view your logs and ensure events are making it to the Collector.

On the new event source that was just created, click View raw log. If you see log messages in the box, then this shows that logs are flowing to the Collector.
Go to Alerts > Log Search.
Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “Cato Networks” if you did not name the event source. Cato Networks logs flow into the Cato Networks log set.

Sample Logs

Example of internet firewall logs:


{
 "time": "2021-12-01T15:07:11Z",
 "fieldsMap": {
   "ISP_name": "Firewall (Internet) ISP",
   "account_id": "5678",
   "action": "Monitor",
   "application": "DNS",
   "dest_ip": "10.0.0.2",
   "dest_is_site_or_vpn": "Site",
   "dest_port": "53",
   "dest_site": "CSI LV-SWI",
   "event_count": "1",
   "event_sub_type": "Internet Firewall",
   "event_type": "Security",
   "internalId": "FH67fuFj6H",
   "ip_protocol": "UDP",
   "os_type": "OS_WINDOWS",
   "os_version": "10",
   "pop_name": "PopName",
   "rule": "Migrated by Cato Allow All WAN",
   "rule_id": "1234",
   "rule_name": "Migrated by Cato Allow All WAN",
   "src_country": "United States of America",
   "src_ip": "10.0.0.1",
   "src_is_site_or_vpn": "VPN User",
   "src_isp_ip": "10.0.0.3",
   "src_site": "John Adams",
   "time": "1638371231662",
   "vpn_user_email": "john.adams@catonetworkscustomer.com"
 }
}

Example of WAN firewall logs:


{
 "time": "2021-12-01T15:06:59Z",
 "fieldsMap": {
   "ISP_name": "Firewall (WAN) ISP",
   "account_id": "5678",
   "action": "Monitor",
   "application": "HTTP(S)",
   "dest_ip": "10.0.0.5",
   "dest_is_site_or_vpn": "Site",
   "dest_port": "80",
   "dest_site": "CSI LV-SWI",
   "event_count": "1",
   "event_sub_type": "WAN Firewall",
   "event_type": "Security",
   "internalId": "f85jFRj683",
   "ip_protocol": "TCP",
   "os_type": "OS_WINDOWS",
   "os_version": "10",
   "pop_name": "PopName",
   "rule": "Migrated by Cato Allow All WAN",
   "rule_id": "1234",
   "rule_name": "Migrated by Cato Allow All WAN",
   "src_country": "United States of America",
   "src_ip": "10.0.0.4",
   "src_is_site_or_vpn": "VPN User",
   "src_isp_ip": "10.0.0.6",
   "src_site": "Kerry Smith",
   "time": "1638371219092",
   "vpn_user_email": "kerry.smith@catonetworkscustomer.com"
 }
}